Traditional malware is typically programmed to infect and run on personal computers and servers with standard operating systems (OSs) installed. These types of machines are common and often inadequately protected from malware attacks. The ease with which a piece of malware can find an unprotected standard OS computer is one reason why most malware is written to infect these systems. However, malware can also be written to infect non-standard or application-specific OSs, such as the software that runs on and manages firewalls, routers, and other network infrastructure devices.
Malware written to infect network infrastructure hardware such as routers, firewalls, or other network devices is less common but can still be a significant threat. Network devices can be thought of as special purpose computers. They run an operating system, often some kind of Linux, and they run applications specific to the functionality of the device. Just like a regular computer, these devices can become infected with malware. But there are no easy ways to determine whether a network device is compromised by examining the device itself. Because they are mostly closed systems, it is not possible to install third-party security software on the device. A network administrator can examine the device and settings of the system, but sufficiently advanced malware could spoof any data presented back to the administrator. If there is a hardware implant then detection is pretty much impossible from just examining device settings.
Intrusion detection systems (IDSs) can detect malware infections of the network hardware, but IDSs are typically signature-based solutions which means the device must know about the existence of a particular attack before it can be detected. If the router or firewall is compromised with a new or novel piece of malware, there will be no known signatures for it and as long as it sends packets that conform to RFC standards with proper headers and normal-looking payloads, there is nothing to tell the IDS that the packet is from a malicious source.
Compromised networked devices are particularly insidious for a number of reasons. First, a router or firewall has access to all network traffic which means the malware could harvest data as it passes through to be exfiltrated at a later time. We also expect these devices to protect all other devices from compromise. So if the firewall is compromised, it could allow in or out data that otherwise would not be allowed. And, as stated before, there is no easy way to monitor these devices so users must make major assumptions that the manufacturer built a solid device with no bugs and that the device was not tampered with at any time. Both of these are difficult to guarantee.